This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.
866ac744c655ede9c376e4a47945a3a0e64a8cdb089b30ec2822adfef9bb9512This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.
79d3dcb40544179ef2c545514e54b7352e225d51c57c720672f33d1b717c00e5Some distributions make virtfs-proxy-helper from QEMU either SUID or give it CAP_CHOWN fs capabilities. This is a terrible idea. While virtfs-proxy-helper makes some sort of flimsy check to make sure its socket path doesn't already exist, it is vulnerable to TOCTOU. This exploit should spawn a root shell, eventually, on vulnerable systems.
1e19e91a7c1729b5f293f8ceb076d4d844b703cbb48b10bd6f16f7fb62c5f677This is an exploit for W3 Total Cache called W3 Total Fail that works by attempting to guess SQL queries that might contain important password hashes.
2e978aeab0aad073084fa3c762212c6feb62f882be9a85f79fe5a5effb151596Viscosity OpenVPN client for Mac OS X suffers from a local root command execution vulnerability due to a suid binary executing site.py.
bbed2f8bef6e98f9f906db21866f9556901fd2af1233ad2af5fa7f69e3f8af21Tunnel Blick suffers from a race condition that allows for local root execution.
c1a060ee41fd2155da5b10c23e65df5727224db3293427daaed6fb1e2ec03027Pwnnel-Blicker is a second local root exploit for Tunnel Blick OS X OpenVPN manager.
469187a05e24af6ff54301dc1ce224c0d812f436efa24c7f9245c5385e416fb9This is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.
3a525daa17c897f966b003f33e20bb846db1a8e769624736feaf876a139f8576This is an amusing method of spawning an xterm using a macro in OpenOffice.org when using a Linux box.
e4ad2fa3a4cf1f1de98c219c6348e38c684d69e735f6c6fbde372c495a2f152cglibc LD_AUDIT arbitrary DSO load local root exploit that leverages a race condition to escalate privileges.
8c9850741e5f8fca1981297aa3458369e2f156d2152d098c2e4d2f48ebf2a8c0Calibre E-Book Reader local root race condition exploit that subverts recent changes preventing symlinks and checking path prefixes.
a8d8f271f9bcea57da5e8e80f09acc4ebc27b5f8820e5bdda23f748aa4eb75efCalibre E-Book Reader local root exploit that uses the mount helper to mount a vfat filesystem over /etc and then tinkers with /etc/passwd to make the root password toor temporarily.
803cea9af662f56f8c5d24c4e88e0d59ba6548ac865fb65d1a853fca08aef00cCalibre E-Book Reader local root exploit that leverages PATH manipulation and a suid mount helper.
e5fa170d241da03c918fe3a8ffb3e7a7364e4e4825c16fc83ac7bd17e8ee6b78PolicyKit versions 0.101 and below local privilege escalation exploit.
8e1577823139cfa501ce0535ad03ba8172e54feaed9443aab35fb42423be384bLinux kernel versions prior to 2.6.37-rc2 TCP_MAXSEG kernel panic denial of service exploit that triggers a divide by zero error in net/ipv4/tcp.c.
a828b90c5c0bad6750f1b7c65f1a2de7ed95c1f80ad18127d00d539bc776fa31FreeBSD versions 6.4 and below Netgraph local privilege escalation exploit.
f9bec532885df70ffa4f6568914b356999d9c3d3c17fd766a1248a5b0e06d65d
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed